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It is well known that search SVP is equivalent to optimization SVP. However, the former 
reduction from search SVP to optimization SVP by Kannan needs polynomial times calls to 
^ ^ the oracle that solves the optimization SVP. In this paper, a new rank-preserving reduction 

O ' is presented with only one call to the optimization SVP oracle. It is obvious that the new 

reduction needs the least calls, and improves Kannan's classical result. What's more, the 
, idea also leads a similar direct reduction from search CVP to optimization CVP with only 

f"^ . one call to the oracle. 

^ ■ Keywords: Search SVP, Optimization SVP, Lattice, Reduction. 

^ ! 1 Introduction 

Given a matrix B = (bij) G ^'"X" with rank n, the lattice L{B) spanned by the columns of B is 

n 

L{B) = {Y^Xibi\xieZ}, 

where bi is the i-th column of B. Lattice has many important applications in cryptography. 
The shortest vector problem (SVP) and the closest vector problem (CVP) are two of the most 
famous problems of lattice. 

SVP refers to find the shortest non-zero vector in a given lattice. There are three different 
variants of SVP: 

1. Search SVP: Given a lattice basis B G Z™^", find v £ C{B) such that \\v\\ = Xi{C{B)), 
where Xi{C{B)) is the length of the shortest non-zero vector in C{B). 

2. Optimization SVP: Given a lattice basis B G Z""^", find Xi{C{B)). 

3. Decisional SVP: Given a lattice basis B G ^"^x" a,nd a rational r G Q, decide whether 
Xi{C{B)) < r or not. 
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It has been proved that the three problems are equivalent to each other (see [2]). It is easy to 
check that the decisional SVP is as hard as the optimization SVP and the optimization variant 
can be reduced to the search variant. 

In 1987, Kannan [Ij also showed that the search variant can be reduced to the optimization 
variant. The basic idea of his reduction is to recover the integer coefficients of some shortest 
vector under the given lattice basis by introducing small errors to the original lattice basis. 
However, his reduction is a bit complex. It needs to call polynomial times optimization SVP 
oracle, since it could not determine the signs of the shortest vector's entries at one time. It also 
needs oracle to solve optimization SVP for some lattices with lower rank besides with the same 
rank as the original lattice. 

In this paper, we propose a new rank-preserving reduction which can solve the search SVP 
with only one call to the optimization SVP oracle. It is obvious that there is no reduction with 
less calls than ours. Instead of recovering the shortest vector directly as in [T], we first recover 
the integer coefficients of some shortest vector under the given lattice basis, then recover the 
shortest vector. 

A similar direct reduction from search CVP to optimization CVP with only one call also holds 
whereas some popular reductions [21 [3] usually takes decisional CVP to bridge the search CVP 
and optimization CVP. The former reduction from decisional CVP to optimization CVP needs 
one call to the optimization CVP oracle, but it needs polynomial times calls to the decisional 
CVP oracle to reduce search CVP to decisional CVP. 

2 The New Reduction 

For simplicity, we just give the new reduction for the full rank lattice, i.e. n = m, as in p!]. It 
is easy to general the new reduction for the lattices with rank n < m. 

2.1 Some Notations 

Given a lattice basis B = (bij) G M"^", let M{B) 
SVP solution set 5"^ as: 

SB = {xe I^"'\\\Bx\\ 
Denote by poly{n) the polynomial in n. 

2.2 Some Lemmas 

We need some lemmas to prove our main theorem. 

Lemma 1. For every positive integer n, there exist n positive integers a\ < a2 < ■ ■ ■ < an s.t. 
all the ai + aj{i < j) 's are distinct and an is bounded by poly{n). 



max|6jj|. For lattice L[B), we define its 
XiiCiB))} 
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Proof. We can take = (n^ + A; — 1)^ for k = 1, 2, • • • ,n. Suppose a^^ + aj^ = ai^ + aj^ for 
some ii,ji,i2,j2, we get (n - 1)^ + {ji - if + 2n^((n - 1) + {ji - 1)) = (?2 - 1)^ + (^2 - 
1)2 + 2n2((z2 - 1) + (j2 - 1)). Since (zi - 1)^ + (ji - 1)2, {i^ - if + {j^ - 1)2 < 2n^, we have 
(n - 1)2 + {ji - 1)2 = - 1)2 + (j2 - 1)2 and ii + ji = i2+h, which leads = {^2,i2}• 

Hence all the Oj + aj{i < i)'s are distinct. It is obvious that a„ < {n? + n — 1)2. □ 

Lemma 2. Given positive odd integer p > 2, and any positive integer n, which satisfies n = 
Yli=o''^iP^ where \ni\ < then we can recover the coefficients Ui's in polynomial time. 

Proof. Wc can recover no by computing a = n mod p and choose a in the interval from ~\p/2\ 
to |_p/2j. After obtaining no, we get another integer (n — no*p^)/p. Recursively, we can recover 
all the coefficients. This can be done in polynomial time obviously. □ 

Lemma 3. For bivariate polynomial f{x,y) = xy, given any lattice basis matrix B G Z"^", 
Xi{L{B)) has an upper bound f{M,n), where M = M(B). What's more, for every x G Sb, \xi\ 
(i = 1, • • • , n) has an upper bound f{M'^, n"). 

Proof. The length of any column of B is an upper bound of Xi{L{B)), so Xi{L{B)) < n^/'^M < 
nM. 

For X G Sb, we let y = Bx, then = Xi{L{B)) < ^/nM. By Cramer's rule, we know that 

_ det(^W) 
det{B) ' 

where B^'^^ is formed by replacing the i-th column of B by y. By Hadamard's inequality, 
|det(S»)| < n"/2M" < n^M'^. We know |det(B)| > 1 since det{B) is a non-zero integer. 
Hence |a;i| < n"M". □ 

2.3 The Main Theorem 

Theorem 1. Assume there exists an oracle O that can solve the optimization SVP for any 
lattice L{B') with basis B' G Z"^", then there is an algorithm that can solve the search SVP for 
any lattice L{B) with basis B G Z"^" with only one call to O in poly {log2 M,n,log2 n) time, 
where M = M{B). 

Proof. The main steps of the algorithm are as below: 
(1) Constructing a new lattice basis G Z"^". 
We construct from the original lattice B: 

/ 6i ... e„ \ 



Be — Cn+l-B + 



ei €2 ... e„ 
... 

... 
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where the will be determined as below. 

For any x £ Z", we difine c(x) = Y17=i ^u^i- For x £ Sb, by Lemma El \xi\ has an upper 
bound f{M",n''). Let Mi = 2/((M + l)",n"). In addition, \\Bx\\ = Xi{L{B)) is bounded by 
/(M,n). Let M2 = /(M + |c(x)| is also bounded by M2 since |c(a;)| < \\Bx\\. We let 

p = 2 * max {M|, 2M1M2, 2Mi } + 1. 

By Lemma [H we can choose n + 1 positive integers ai < 02 < . . . < ffln+i; such that all the 
fli + o,j{i < j)'s are distinct where a„+i is bounded by poly{n). Let 

We first show that I det (—^Bf)\ > i, so i?f is indeed a lattice basis. Notice that 



1 " 

det ( B^) = det{B) + J] 



where is the cofactor of Bu in B. Since < 4 and laA < M""i(n-1)""^ I Oj-^l < 

^jy-n-l^n ^ 1 



-!tM" -"^n" < i. By the fact det(i?) is a non-zero integer, we get 



|det(J-S,)|>i (1) 

We claim that Sb^ ^ S'b. Since = S i ^ , it is enough to prove S i ^ C 5b . 

For any x £ S i ^ , by ([T|) and the proof of LemmaO we know that \xi\ < Mi, \c{x)\ < M2. 
By the choice of p, x?, 2c(x)xj, 2xiXj are in the interval [— [p/2j , [p/2j]. Together with the fact 
that -^^(i < j)'s are different powers of we have 

'=n + l 

> ||5x||2-([p/2j+l)^. 
Similarly, for any y G 5b, we have 

= +Er=i?/.'(^)'+Er=i2c(y)y.^+E.<,22/.%-|j 

< Ai(L(i?))2 + ([p/2j+l)^ 



(3) 



Next, we prove 5 1 ^ C 5^. Suppose there exists x G 5 1 ^ but x 5^, then 

\\Bxf>\i{L{B)f + \. (4) 
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Notice that < ^, we have < (|p/2| + 1)-^ < i. Together with (l2l), ([3]) and (11), we 
have 

> l|i?^f-(Lp/2j+i)err 

> Ai(L(S))2 + l-([p/2j+l)^ 

> Ai(L(i3))2 + ([p/2j+l)^ 

> \\-^B,y\\^, 

" Cn + l ' 

which is an contradiction, since -^—B^y e L(—^B^). Hence Sb, ^ Sb- 

(2) Querying the oracle O with i?e once, we get Xi{C{B^)). 
So there exists x = (xi, . . . , Xn)^ ^ Sb^ Q Sb, such that 

n n 

+ X^^if^i + ^2c(x)j;ien+iej + ^ 2j;ij;jejej = Ai(£(Se))^ 

i=l j=l i<j 

(3) Recovering all the Xj's and output Bx. 

Since x G /Ss, every coefficient x?, 2c(x)xj, 2xiXj is in the interval [— |_p/2j , |j3/2j] and 

^i^j {i < j)'s are different powers of p. Hence, log2 (Ai(£(i?e))) is bounded by poZy(log2 M, ra, log2 n). 
Furthermore, by LemmaO we can recover all the coefficients in poly{log2 M, n, log2 n) time. Es- 
pecially, we can recover all xf and XiXj{i 7^ j). Let k = min{i|xi 7^ 0}. We fix x^ = \J'x^ > 0, 

and can recover all the remaining xj = sign{xkXj)^J^ according to x| and XkXj{k 7^ j). 

It is easy to check that the complexity of every step is bounded by poly {log2 M, n, log2 n). □ 

Remark 1. For any search CVP instant (B, t), given an oracle which can solve the optimization 
CVP, we can call the oracle with (B^, En+it) only once to solve the search CVP similarly. 



3 Conclusions 

In this paper, we give a new reduction from search SVP to optimization SVP with only one 
call, which is the least, to the optimization SVP oracle. A similar result for CVP also holds. 
However, it seems hard to apply the idea for GapSVP or GapCVP, since the new reduction is 
also sensitive to the error. 
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